diff options
author | Andreas Metzler <ametzler@debian.org> | 2011-01-24 19:01:39 +0000 |
---|---|---|
committer | Andreas Metzler <ametzler@debian.org> | 2011-01-24 19:01:39 +0000 |
commit | 938026ce70f42942cb1b270e366aaae3fd64ca35 (patch) | |
tree | 8c0ce18cb0b800001a98769fb4233674fc7e0c4d | |
parent | bb3b6416782cb043e3ca854faf0144a53d6437cb (diff) | |
parent | b458d83572a03ac9b28cb0a997318254812e2362 (diff) | |
download | exim4-4.69-9+lenny3.tar.gz |
[svn-buildpackage] Tagging exim4 4.69-9+lenny34.69-9+lenny3
svn path=/exim/tags/4.69-9+lenny3/; revision=2565
-rw-r--r-- | debian/changelog | 18 | ||||
-rw-r--r-- | debian/patches/00list | 2 | ||||
-rwxr-xr-x | debian/patches/80_4.74_CVE-2011-0017.dpatch | 112 | ||||
-rwxr-xr-x | debian/patches/80_4.74_deliverylogging.dpatch | 31 |
4 files changed, 158 insertions, 5 deletions
diff --git a/debian/changelog b/debian/changelog index 994b064..27ddbad 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,8 +1,16 @@ -exim4 (4.69-9+lenny3) UNRELEASED; urgency=low - - * NOT RELEASED YET - - -- Andreas Metzler <ametzler@debian.org> Thu, 06 Jan 2011 13:25:18 +0100 +exim4 (4.69-9+lenny3) stable-security; urgency=low + + * 80_4.74_CVE-2011-0017.dpatch (Pulled from upstream git): Check return + values of setgid/setuid. This is a privilege escalation vulnerability + whereby the Exim run-time user can cause root to append content of the + attacker's choosing to arbitrary files. + * 80_4.74_deliverylogging.dpatch (Pulled from upstream git): If a non-debug + daemon was invoked with a non-whitelisted macro, then logs from after + attempting delivery would be silently lost, including for successful + delivery. This log-loss bug was introduced as part of the security + lockdown for fixing CVE-2010-4345. Closes: #610611 + + -- Andreas Metzler <ametzler@debian.org> Mon, 24 Jan 2011 19:31:06 +0100 exim4 (4.69-9+lenny2) stable-security; urgency=high diff --git a/debian/patches/00list b/debian/patches/00list index 8441a55..879f2cb 100644 --- a/debian/patches/00list +++ b/debian/patches/00list @@ -21,5 +21,7 @@ 80_4.73rc1_6_nonroot_system_filter_user.dpatch 80_4.73rc1_7_filter_D_option.dpatch 80_4.73rc1_8_updatedocumentation.dpatch +80_4.74_CVE-2011-0017.dpatch +80_4.74_deliverylogging.dpatch 81_pool_reset_issue.dpatch 82_string_format_overflow.dpatch diff --git a/debian/patches/80_4.74_CVE-2011-0017.dpatch b/debian/patches/80_4.74_CVE-2011-0017.dpatch new file mode 100755 index 0000000..b618547 --- /dev/null +++ b/debian/patches/80_4.74_CVE-2011-0017.dpatch @@ -0,0 +1,112 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 80_4.74_CVE-2011-0017.dpatch by Phil Pennock <pdp@exim.org> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Check return values of setgid/setuid. +## DP: +## DP: CVE-2011-0017 +## DP: One assertion of the unimportance of checking the return value was +## DP: wrong in the event of a compromised exim run-time user. +## DP: 1670ef10063d7708eb736a482d1ad25b9c59521d + +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' exim-4.69~/build-tree/src/exim.c exim-4.69/build-tree/src/exim.c +--- exim-4.69~/build-tree/src/exim.c 2011-01-24 19:12:39.000000000 +0100 ++++ exim-4.69/build-tree/src/exim.c 2011-01-24 19:14:35.000000000 +0100 +@@ -1412,7 +1412,7 @@ + int filter_sfd = -1; + int filter_ufd = -1; + int group_count; +-int i; ++int i, rv; + int list_queue_option = 0; + int msg_action = 0; + int msg_action_arg = -1; +@@ -1744,8 +1744,20 @@ + + if (real_uid == root_uid) + { +- setgid(real_gid); +- setuid(real_uid); ++ rv = setgid(real_gid); ++ if (rv) ++ { ++ fprintf(stderr, "exim: setgid(%ld) failed: %s\n", ++ (long int)real_gid, strerror(errno)); ++ exit(EXIT_FAILURE); ++ } ++ rv = setuid(real_uid); ++ if (rv) ++ { ++ fprintf(stderr, "exim: setuid(%ld) failed: %s\n", ++ (long int)real_uid, strerror(errno)); ++ exit(EXIT_FAILURE); ++ } + } + + /* If neither the original real uid nor the original euid was root, Exim is +@@ -3945,7 +3957,28 @@ + + /* When we are retaining a privileged uid, we still change to the exim gid. */ + +-else setgid(exim_gid); ++else ++ { ++ int rv; ++ rv = setgid(exim_gid); ++ /* Impact of failure is that some stuff might end up with an incorrect group. ++ We track this for failures from root, since any attempt to change privilege ++ by root should succeed and failures should be examined. For non-root, ++ there's no security risk. For me, it's { exim -bV } on a just-built binary, ++ no need to complain then. */ ++ if (rv == -1) ++ { ++ if (!unprivileged) ++ { ++ fprintf(stderr, ++ "exim: changing group failed: %s\n", strerror(errno)); ++ exit(EXIT_FAILURE); ++ } ++ else ++ debug_printf("changing group to %ld failed: %s\n", ++ (long int)exim_gid, strerror(errno)); ++ } ++ } + + /* Handle a request to list the delivery queue */ + +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' exim-4.69~/build-tree/src/log.c exim-4.69/build-tree/src/log.c +--- exim-4.69~/build-tree/src/log.c 2007-08-22 12:10:23.000000000 +0200 ++++ exim-4.69/build-tree/src/log.c 2011-01-24 19:14:35.000000000 +0100 +@@ -343,17 +343,26 @@ + + else if (euid == root_uid) + { +- int status; ++ int status, rv; + pid_t pid = fork(); + + /* In the subprocess, change uid/gid and do the creation. Return 0 from the +- subprocess on success. There doesn't seem much point in testing for setgid +- and setuid errors. */ ++ subprocess on success. If we don't check for setuid failures, then the file ++ can be created as root, so vulnerabilities which cause setuid to fail mean ++ that the Exim user can use symlinks to cause a file to be opened/created as ++ root. We always open for append, so can't nuke existing content but it would ++ still be Rather Bad. */ + + if (pid == 0) + { +- (void)setgid(exim_gid); +- (void)setuid(exim_uid); ++ rv = setgid(exim_gid); ++ if (rv) ++ die(US"exim: setgid for log-file creation failed, aborting", ++ US"Unexpected log failure, please try later"); ++ rv = setuid(exim_uid); ++ if (rv) ++ die(US"exim: setuid for log-file creation failed, aborting", ++ US"Unexpected log failure, please try later"); + _exit((create_log(buffer) < 0)? 1 : 0); + } + diff --git a/debian/patches/80_4.74_deliverylogging.dpatch b/debian/patches/80_4.74_deliverylogging.dpatch new file mode 100755 index 0000000..e9e9794 --- /dev/null +++ b/debian/patches/80_4.74_deliverylogging.dpatch @@ -0,0 +1,31 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 80_4.74_deliverylogging.dpatch by Phil Pennock <pdp@exim.org> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Bug 1071: fix delivery logging with untrusted macros. +## DP: +## DP: If dropping privileges for untrusted macros, we disabled normal logging +## DP: on the basis that it would fail; for the Exim run-time user, this is not +## DP: the case, and it resulted in successful deliveries going unlogged. +## DP: b7487bcec431809cb7fc3c2b42fcd607e43d37e7 + +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' exim-4.69~/build-tree/src/exim.c exim-4.69/build-tree/src/exim.c +--- exim-4.69~/build-tree/src/exim.c 2011-01-24 19:21:00.000000000 +0100 ++++ exim-4.69/build-tree/src/exim.c 2011-01-24 19:21:50.000000000 +0100 +@@ -3418,9 +3418,13 @@ + and should be used for any logging information because attempts to write + to the log will usually fail. To arrange this, we unset really_exim. However, + if no stderr is available there is no point - we might as well have a go +- at the log (if it fails, syslog will be written). */ ++ at the log (if it fails, syslog will be written). + +- if (log_stderr != NULL) really_exim = FALSE; ++ Note that if the invoker is Exim, the logs remain available. Messing with ++ this causes unlogged successful deliveries. */ ++ ++ if ((log_stderr != NULL) && (real_uid != exim_uid)) ++ really_exim = FALSE; + } + + /* Privilege is to be retained for the moment. It may be dropped later, |